def _va_config_floating_ips(self, ri):
LOG.debug(_('_va_config_floating_ips: %s'), ri.router['id'])
prefix = va_utils.get_dnat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, prefix)
# add new dnat rules
for idx, fip in enumerate(ri.floating_ips):
body = {
'name':
'%s_%d' % (prefix, idx),
'ingress-context-type':
'zone',
'ingress-index':
va_utils.get_untrusted_zone_name(ri),
'destination-address':
[[fip['floating_ip_address'], fip['floating_ip_address']]],
'static': [fip['fixed_ip_address'], fip['fixed_ip_address']],
'flag':
'translate-destination'
}
self.rest.rest_api('POST', va_utils.REST_URL_CONF_NAT_RULE, body)
if ri.floating_ips:
self.rest.commit()
def _va_config_untrusted_zone(self, ri, plist):
zone = va_utils.get_untrusted_zone_name(ri)
LOG.debug(_("_va_config_untrusted_zone: %s"), zone)
body = {
'name': zone,
'type': 'L3',
'interface': []
}
if not self._va_unset_zone_interfaces(zone):
# if zone doesn't exist, create it
self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body)
self.rest.commit()
# add new gateway ports to untrusted zone
if ri.ex_gw_port:
LOG.debug(_("_va_config_untrusted_zone: gw=%r"), ri.ex_gw_port)
dev = self.get_external_device_name(ri.ex_gw_port['id'])
pif = self._va_get_port_name(plist, dev)
if pif:
lif = self._va_pif_2_lif(pif)
self._va_set_interface_ip(pif, ri.ex_gw_port['ip_cidr'])
body['interface'].append(lif)
self.rest.rest_api('PUT', va_utils.REST_URL_CONF_ZONE, body)
self.rest.commit()
def test_agent_external_gateway(self):
router = self._create_router()
try:
router.rest.auth()
except Exception:
# skip the test, firewall is not deployed
return
ri = self._prepare_router_data(enable_snat=True)
router._router_added(ri.router['id'], ri.router)
url = varmour_utils.REST_URL_CONF_ZONE
prefix = varmour_utils.get_untrusted_zone_name(ri)
router.process_router(ri)
n = router.rest.count_cfg_objs(url, prefix)
self.assertEqual(n, 1, 'prefix %s' % prefix)
del ri.router['gw_port']
router.process_router(ri)
n = router.rest.count_cfg_objs(url, prefix)
self.assertEqual(n, 1, 'prefix %s' % prefix)
router._router_removed(ri.router['id'])
n = router.rest.count_cfg_objs(url, prefix)
self.assertEqual(n, 0, 'prefix %s' % prefix)
def test_agent_external_gateway(self):
router = self._create_router()
try:
router.rest.auth()
except Exception:
# skip the test, firewall is not deployed
return
ri = self._prepare_router_data(enable_snat=True)
router._router_added(ri.router['id'], ri.router)
url = varmour_utils.REST_URL_CONF_ZONE
prefix = varmour_utils.get_untrusted_zone_name(ri)
router.process_router(ri)
n = router.rest.count_cfg_objs(url, prefix)
self.assertEqual(n, 1, 'prefix %s' % prefix)
del ri.router['gw_port']
router.process_router(ri)
n = router.rest.count_cfg_objs(url, prefix)
self.assertEqual(n, 1, 'prefix %s' % prefix)
router._router_removed(ri.router['id'])
n = router.rest.count_cfg_objs(url, prefix)
self.assertEqual(n, 0, 'prefix %s' % prefix)
def _va_config_untrusted_zone(self, ri, plist):
zone = va_utils.get_untrusted_zone_name(ri)
LOG.debug(_("_va_config_untrusted_zone: %s"), zone)
body = {
'name': zone,
'type': 'L3',
'interface': []
}
if not self._va_unset_zone_interfaces(zone):
# if zone doesn't exist, create it
self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body)
self.rest.commit()
# add new gateway ports to untrusted zone
if ri.ex_gw_port:
LOG.debug(_("_va_config_untrusted_zone: gw=%r"), ri.ex_gw_port)
dev = self.get_external_device_name(ri.ex_gw_port['id'])
pif = self._va_get_port_name(plist, dev)
if pif:
lif = self._va_pif_2_lif(pif)
self._va_set_interface_ip(pif, ri.ex_gw_port['ip_cidr'])
body['interface'].append(lif)
self.rest.rest_api('PUT', va_utils.REST_URL_CONF_ZONE, body)
self.rest.commit()
def _setup_policy(self, ri, fw):
# create zones no matter if they exist. Interfaces are added by router
body = {
'type': 'L3',
'interface': []
}
body['name'] = va_utils.get_trusted_zone_name(ri)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body)
body['name'] = va_utils.get_untrusted_zone_name(ri)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body)
self.rest.commit()
servs = dict()
addrs = dict()
for rule in fw['firewall_rule_list']:
if not rule['enabled']:
continue
if rule['ip_version'] == 4:
service = self._make_service(ri, fw, rule, servs)
s_addr = self._make_address(ri, fw, rule, addrs, True)
d_addr = self._make_address(ri, fw, rule, addrs, False)
policy = va_utils.get_firewall_policy_name(ri, fw, rule)
z0 = va_utils.get_trusted_zone_name(ri)
z1 = va_utils.get_untrusted_zone_name(ri)
body = self._make_policy(policy + '_0', rule,
z0, z0, s_addr, d_addr, service)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body)
body = self._make_policy(policy + '_1', rule,
z0, z1, s_addr, d_addr, service)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body)
body = self._make_policy(policy + '_2', rule,
z1, z0, s_addr, d_addr, service)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body)
self.rest.commit()
else:
LOG.warn(_("Unsupported IP version rule."))
def _setup_policy(self, ri, fw):
# create zones no matter if they exist. Interfaces are added by router
body = {
'type': 'L3',
'interface': []
}
body['name'] = va_utils.get_trusted_zone_name(ri)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body)
body['name'] = va_utils.get_untrusted_zone_name(ri)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_ZONE, body)
self.rest.commit()
servs = dict()
addrs = dict()
for rule in fw['firewall_rule_list']:
if not rule['enabled']:
continue
if rule['ip_version'] == 4:
service = self._make_service(ri, fw, rule, servs)
s_addr = self._make_address(ri, fw, rule, addrs, True)
d_addr = self._make_address(ri, fw, rule, addrs, False)
policy = va_utils.get_firewall_policy_name(ri, fw, rule)
z0 = va_utils.get_trusted_zone_name(ri)
z1 = va_utils.get_untrusted_zone_name(ri)
body = self._make_policy(policy + '_0', rule,
z0, z0, s_addr, d_addr, service)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body)
body = self._make_policy(policy + '_1', rule,
z0, z1, s_addr, d_addr, service)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body)
body = self._make_policy(policy + '_2', rule,
z1, z0, s_addr, d_addr, service)
self.rest.rest_api('POST', va_utils.REST_URL_CONF_POLICY, body)
self.rest.commit()
else:
LOG.warn(_LW("Unsupported IP version rule."))
def _va_config_floating_ips(self, ri):
LOG.debug(_("_va_config_floating_ips: %s"), ri.router["id"])
prefix = va_utils.get_dnat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, prefix)
# add new dnat rules
for idx, fip in enumerate(ri.floating_ips):
body = {
"name": "%s_%d" % (prefix, idx),
"ingress-context-type": "zone",
"ingress-index": va_utils.get_untrusted_zone_name(ri),
"destination-address": [[fip["floating_ip_address"], fip["floating_ip_address"]]],
"static": [fip["fixed_ip_address"], fip["fixed_ip_address"]],
"flag": "translate-destination",
}
self.rest.rest_api("POST", va_utils.REST_URL_CONF_NAT_RULE, body)
if ri.floating_ips:
self.rest.commit()
def _va_config_floating_ips(self, ri):
LOG.debug(_('_va_config_floating_ips: %s'), ri.router['id'])
prefix = va_utils.get_dnat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, prefix)
# add new dnat rules
for idx, fip in enumerate(ri.floating_ips):
body = {
'name': '%s_%d' % (prefix, idx),
'ingress-context-type': 'zone',
'ingress-index': va_utils.get_untrusted_zone_name(ri),
'destination-address': [[fip['floating_ip_address'],
fip['floating_ip_address']]],
'static': [fip['fixed_ip_address'], fip['fixed_ip_address']],
'flag': 'translate-destination'
}
self.rest.rest_api('POST', va_utils.REST_URL_CONF_NAT_RULE, body)
if ri.floating_ips:
self.rest.commit()
def _router_removed(self, router_id):
LOG.debug(_("_router_removed: %s"), router_id)
ri = self.router_info[router_id]
if ri:
ri.router['gw_port'] = None
ri.router[l3_constants.INTERFACE_KEY] = []
ri.router[l3_constants.FLOATINGIP_KEY] = []
self.process_router(ri)
name = va_utils.get_snat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, name)
name = va_utils.get_dnat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, name)
name = va_utils.get_trusted_zone_name(ri)
self._va_unset_zone_interfaces(name, True)
name = va_utils.get_untrusted_zone_name(ri)
self._va_unset_zone_interfaces(name, True)
del self.router_info[router_id]
def _router_removed(self, router_id):
LOG.debug(_("_router_removed: %s"), router_id)
ri = self.router_info[router_id]
if ri:
ri.router['gw_port'] = None
ri.router[l3_constants.INTERFACE_KEY] = []
ri.router[l3_constants.FLOATINGIP_KEY] = []
self.process_router(ri)
name = va_utils.get_snat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, name)
name = va_utils.get_dnat_rule_name(ri)
self.rest.del_cfg_objs(va_utils.REST_URL_CONF_NAT_RULE, name)
name = va_utils.get_trusted_zone_name(ri)
self._va_unset_zone_interfaces(name, True)
name = va_utils.get_untrusted_zone_name(ri)
self._va_unset_zone_interfaces(name, True)
del self.router_info[router_id]
